CVE-2013-3482
published 2014-01-19CVE-2013-3482: Stack-based buffer overflow in the rf_report_error function in ermapper_u.dll in Intergraph ERDAS ER Viewer before 13.0.1.1301 allows remote attackers to…
PriorityP356critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
31.51%
98.1th percentile
Stack-based buffer overflow in the rf_report_error function in ermapper_u.dll in Intergraph ERDAS ER Viewer before 13.0.1.1301 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a long string in an ERS file.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hexagon | erdas_er_viewer | <= 13.0.1.1298 | — |
| hexagon | erdas_er_viewer | — | — |
| hexagon | erdas_er_viewer | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
DatasetHeader Begin ... End
- →Look for malicious .ERS files containing a 'DatasetHeader Begin...End' block with an oversized string (>191 bytes) in the header field, which triggers the stack-based buffer overflow in rf_report_error. ↗
- →The exploit buffer offset to EIP overwrite is 191 bytes; monitor for ERS files where the DatasetHeader content exceeds this length. ↗
- →Detect the egghunter tag string 'w00t' within .ERS file content, which is a marker used by the Metasploit exploit payload. ↗
- →Monitor for the ROP gadget address 0x100E1152 (xchg eax, esp # ret from ermapper_u.dll) appearing in memory or file content, indicating DEP/ASLR bypass exploitation of this CVE. ↗
- →The exploit uses ethrlib.dll ROP gadgets (e.g., 0x30d059d9 INC EBX # RETN); presence of ethrlib.dll loaded in the ERS Viewer process alongside ermapper_u.dll is expected in exploitation. ↗
- ·The ROP gadget addresses and offsets are specific to ERS Viewer 2013 version 13.0.0.1151 only; they will not apply to other versions. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
ERS Viewer 2013 - '.ERS' File Handling Buffer Overflow (Metasploit)
exploitdb·2013-07-09
CVE-2013-3482 ERS Viewer 2013 - '.ERS' File Handling Buffer Overflow (Metasploit)
ERS Viewer 2013 - '.ERS' File Handling Buffer Overflow (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 "ERS Viewer 2013 ERS File Handling Buffer Overflow",
'Description' => %q{
This module exploits a buffer overflow vulnerability found in ERS Viewer 2013.
The vulnerability exists in the module ermapper_u.dll, where the function
rf_report_error handles user provided data in a insecure way. It results in
arbitrary code execution under the context of the user viewing a specially crafted
.ers file. This module has been tested succes
Metasploit
ERS Viewer 2013 ERS File Handling Buffer Overflow
metasploit
ERS Viewer 2013 ERS File Handling Buffer Overflow
ERS Viewer 2013 ERS File Handling Buffer Overflow
This module exploits a buffer overflow vulnerability found in ERS Viewer 2013. The vulnerability exists in the module ermapper_u.dll, where the function rf_report_error handles user provided data in an insecure way. It results in arbitrary code execution under the context of the user viewing a specially crafted .ers file. This module has been tested successfully with ERS Viewer 2013 (versions 13.0.0.1151) on Windows XP SP3 and Windows 7 SP1.
No writeups or analysis indexed.
http://attrition.org/pipermail/vim/2013-May/002682.htmlhttp://osvdb.org/show/osvdb/93650http://secunia.com/advisories/53620http://www.exploit-db.com/exploits/26708http://www.secunia.com/blog/366http://attrition.org/pipermail/vim/2013-May/002682.htmlhttp://osvdb.org/show/osvdb/93650http://secunia.com/advisories/53620http://www.exploit-db.com/exploits/26708http://www.secunia.com/blog/366
2014-01-19
Published